Bug#816357: jedit: FTBFS: XThis.java:128: error: cannot find symbol [..] NotSerializableException

Markus Koschany apo at debian.org
Fri Mar 4 08:24:24 UTC 2016 

On Thu, 03. Mar 22:30 tony mancill <tmancill at debian.org> wrote:
> On 03/03/2016 12:49 PM, Markus Koschany wrote:
> > Am 03.03.2016 um 05:03 schrieb tony mancill:
> >> Control: -1 tag  + confirmed
> >> Control: -1 owner tmancill at debian.org
> >>
> >> On 02/29/2016 11:05 PM, Chris Lamb wrote:
> >>> Source: jedit
> >>> Version: 5.3.0+dfsg-1
> >>> Severity: serious
> >>> Justification: fails to build from source
> >>
> >>>       [javac] /home/lamby/temp/cdt.20160301065925.cu0iTWjXkj/jedit-5.3.0+dfsg/org/gjt/sp/jedit/bsh/XThis.java:128: error: cannot find symbol
> >>>       [javac] 			throw new NotSerializableException();
> >>
> >> Thanks for the bug report.  Looks like we have a bit of porting for the
> >> latest bsh upload.
> >>
> >
> > Sorry for the inconvenience. If there is more involved than importing
> > the missing class, please let me know and I try to fix it.
>
> Hi Markus,
>
> No inconvenience at all. The issue seems to be with the upstream patch
> for CVE-2016-2510, which drops the java.io.Serializable interface from
> the InvocationHandler, but then references the ObjectStreamException and
> NotSerializableException classes that package.
>
> I was able to get things working for jedit by applying the following
> patch (also attached), building a new bsh-src package locally, and using
> that for the jedit build.
>
> > diff -Nru bsh-2.0b4/debian/patches/CVE-2016-2510.patch bsh-2.0b4/debian/patches/CVE-2016-2510.patch
> > --- bsh-2.0b4/debian/patches/CVE-2016-2510.patch	2016-03-02 20:24:07.000000000 -0800
> > +++ bsh-2.0b4/debian/patches/CVE-2016-2510.patch	2016-03-03 22:10:57.000000000 -0800
> > @@ -35,8 +35,8 @@
> >  -	class Handler implements InvocationHandler, java.io.Serializable
> >  +	class Handler implements InvocationHandler
> >   	{
> > -+		private Object readResolve() throws ObjectStreamException {
> > -+			throw new NotSerializableException();
> > ++		private Object readResolve() throws java.io.ObjectStreamException {
> > ++			throw new java.io.NotSerializableException();
> >  +		}
> >  +
>
> So, if you're okay with the patch, could you apply it and upload an
> updated bsh?  Or do you mind if I do?

Hi tony,

I can upload a new revision of bsh with this change later. I'm just wondering
why we need to use java.io.ObjectStreamException and
java.io.NotSerializableException explicitly because these classes are already
imported in bsh's XThis.java.

import java.io.*;

Anyway it doesn't change the intention of the patch and should be safe.

Cheers,

Markus

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20160304/aac1965f/attachment-0001.sig>

More information about the pkg-java-maintainers mailing list